Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 8680 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenVPN CVE-2017-5868

Bobby Renaud

Hello,

 

I was just wondering if the XG Firewall uses OpenVPN, in particular the OpenVPN web UI. I don't think it does, but I just want to me sure because I use the OpenVPN clients on some of my endpoints to VPN in using SSL VPN Remote Access.

Here is a link if anyone wants to take a look for more information. Like I said, I don't think we are impacted but I just want to make sure. 

http://www.theregister.co.uk/2017/05/24/last_week_openvpn_client_is_secure_brthis_week_unpatched_bug_in_openvpn_server/

 

Thanks!

 



This thread was automatically locked due to age.
Parents
  • 0

    Well source by the "The Hacker news" there are involved others CVE 2017-7521; CVE-2017-7520; CVE-2017-7508 and CVE-2017-7522

    Researcher Guido Vranken discovered four security holes in OpenVPN.

    It seems that one bug is client-side, that could allow an attacker to steal a password to gain access to the proxy.

    More details on "The OpenVPN Post-audit Bug bonanza" by Vranken. guidovranken.wordpress.com/.../

    Regarding the version of the client used by Sophos I am not sure and overall if the version inside the firewall is comprimesed or not: I think just Sophos could answer.

    Checking on a VPN client NOT RECENTLY DOWNLOADED I found:

    Mon Jul 17 16:34:46 2017 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Dec  9 2016
    Mon Jul 17 16:34:46 2017 library versions: OpenSSL 1.0.1u  22 Sep 2016, LZO 2.09

    So please Sophos explain to us wich is the version of OpenVPN used by for example inside XG firewall and is affected or not.

Reply
  • 0

    Well source by the "The Hacker news" there are involved others CVE 2017-7521; CVE-2017-7520; CVE-2017-7508 and CVE-2017-7522

    Researcher Guido Vranken discovered four security holes in OpenVPN.

    It seems that one bug is client-side, that could allow an attacker to steal a password to gain access to the proxy.

    More details on "The OpenVPN Post-audit Bug bonanza" by Vranken. guidovranken.wordpress.com/.../

    Regarding the version of the client used by Sophos I am not sure and overall if the version inside the firewall is comprimesed or not: I think just Sophos could answer.

    Checking on a VPN client NOT RECENTLY DOWNLOADED I found:

    Mon Jul 17 16:34:46 2017 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Dec  9 2016
    Mon Jul 17 16:34:46 2017 library versions: OpenSSL 1.0.1u  22 Sep 2016, LZO 2.09

    So please Sophos explain to us wich is the version of OpenVPN used by for example inside XG firewall and is affected or not.

Children
No Data